Keeping your information safe (and that of your clients/customers) is important. GDPR and other laws mean that you could face heavy fines if you don’t adopt good practices to prevent being hacked or having unauthorised access to individual people’s personal data that are in your possession.
Why Cyber Security Matters for SMEs
A common myth that many small and medium-sized businesses have is that cybersecurity isn’t all that important because hackers and the like only really target large organisations. “Why would they want to hack me or our website?” and while that’s mostly true, lots of times those hackers want to try to get into the systems and businesses of smaller companies that probably haven’t got all of the sophisticated systems and people in that large organisation who can thwart an attack or hack.
If you have a presence online or your mobile number is published anywhere, then you are a target, whether you believe you are or you don’t.
It’s also a hugely important thing to think about: one link clicked in a phishing email that leads to a webpage hosting a Trojan virus could lead to your whole network going down, much like what happened in the past with the NHS and the WannaCry ransomeware attack a few years ago.
Common Security Risks
What are the “usual” things you (and your team) will see that could have a huge negative impact on your business/brand reputation if you don’t protect yourself?
Phishing emails – these are those fake bank, social media, invoices, or mobile phone operator emails. That says you should login using the link they gave you or “update your details”. You can usually tell by the poor quality imagery they have in them. If you have a good spam filter (using Google Workspace or Office365), then most of these will be taken care of by your email service provider. Some may get through, so it’s important that you and your team are vigilant for these types of emails when they arrive (if they don’t use your first name, be cautious).
Weak passwords – using your dog’s name plus 123 isn’t going to cut it anymore, no matter what type of account you’re using to sign into. You’ll want to have long, complex passwords for all accounts connected to your business and always have different passwords for each account. Can’t remember them all? I’m not sure how anyone could really. That’s why using a password manager is the best option.
Oh, and try not to use one login account for multiple people: everyone having a different login with a strong password will help with both security and audit logging.
Lost or stolen devices – this can be a huge issue if you store any sensitive or health data on these devices. So, it’s best to ensure you store the least amount of personal information and data on devices that you or your team use. And, make sure there is a complex password or passcode to access the device.
Unsecure WiFi – if you’re working from a hotel, airport or cafe WiFi, then connect to a VPN before you sign in to any accounts or send any emails, etc. Doing so will put an extra layer between you and any programs put in place to track information and data (and potentially steal any data or login information).
Outdated software – any device that your business has should have the most up-to-date software on it. Not doing so leaves you open to the risk of being hacked or attacked. If that happens, the impact on your business and brand reputation won’t be great.
Practical Steps to Protect Your Business
Here are some steps you can take to ensure your business is protected.
Strong, unique passwords
– Use a password manager like Bitwarden, 1Password or LastPass. Long, complex passwords are best
– Don’t use the same password or Bobby12#3 on all accounts with the same email address
– Never use the same password more than once
Two-factor authentication (2FA)
– Turn this on for all important business accounts: email, domain, social media, bank logins
– If someone gets your password, they won’t be able to login without 2FA
Regular software updates
– Keep your phone, computer, tablet and all apps on their latest (stable) versions
– Updates often patch recognised security issues
Backup, backup, backup
– Use cloud providers to back up all of your data (phone, laptop, website, databases)
– External hard drive for sensitive/accounting data (ensure password protected)
Train your team
– Even if you have just one person helping out part-time, ensure they know how to spot a phishing email, don’t click suspicious links, and double-check any unusual payment requests or requests for detailed information about you or the business
Secure your WiFi & devices
– Use a strong password for your router or repeater devices
– Always use a VPN on a public connection
Limit access
– Everyone doesn’t need admin access to everything: adopt a least-privileged user approach
Social Media & Business Safety
Even if you’re only posting once a week on your social accounts and it’s just you doing it, it’s important that you remember to keep in mind your business’s security as you grow.
So, things like:
– Not sharing logins with people on your team or an outside organisation (tools like Facebook Business Manager or LinkedIn Company admin should be used)
– Being aware of fake messages on the platform from fake accounts asking for login details, asking you to login again, or wanting to talk about your account (if it sounds fake, it probably is)
– Regularly review who has admin access and remove people who don’t need it
Business Website & Assets (and Safety)
There are many different precautions that you could take when accessing your business website’s admin panel. Some of them could be.
Computer firewall – this is an important one. It can prevent malware from integrating with your system and alert you when it detects a potential attack. Personally, I use Bitdefender: most “Total Security” programs (that used to just do antivirus) have these alongside them (in the upgradable version), and they work pretty well. However, certain ones can slow down your computer quite considerably.
Updated browser – whether you’re using Firefox, Chrome or Safari, it’s best to have the latest version. Obviously, don’t use an outdated version of Internet Explorer (use Edge instead, if you have to). Just make sure you don’t have a version installed from years ago as any exploits can make you vulnerable (and you might not even know).
Secure WiFi – if you’re connecting to your own internet at home or at the office, then everything should be ok. Ensure you have an individual name for the SSID and a secure password. When you’re out in a cafe or public space and want to do some work (or you’re travelling), be careful about connecting to a different WiFi spot. If in doubt, either hotspot your phone or, if you need to use the hotel or restaurant WiFi. Connect to a VPN before checking your email or logging in anywhere. This secures your connection between the computer and the internet server.
2FA logins – any business-critical logins, e.g., your business website’s admin panel, DNS server account, and domain registrar, should all have two-factor authentication (2FA) active. This is where a text message is sent to your phone, or (and usually more secure/reliable) you use an authentication app to authenticate the login session.
Savyness – not clicking on links in emails, or downloading images or files from people you don’t know. Using a third-party email service, such as Google Workspace, Office 365, or Zoho Business Mail, is a good option for this. However, it’s not going to stop everything. Therefore, it is essential to understand what appears to be spam and what may contain a Trojan or other virus that could infect your computer if you engage with it.
Having all of these above in place will put you in a good position to be resilient against any phishing attempts or hacking attacks.
What To Do If Something Goes Wrong
If it comes to the point where you know (or even think) that someone has (or may have) access to your account(s), then it’s time to do these things immediately:
– Change passwords
– Contact your bank or financial institution if money was involved
– Notify any customers/clients if anything did (or could) affect them within a reasonable time (e.g., with a data breach, you’re obliged to notify individuals under the Data Protection Act 2018)
– Have a recovery plan (what you will do), even if this is a simple checklist of things to complete
Affordable Tools
Having just a handful of tools on hand will help to mitigate against anything bad happening:
– A password manager: these are low-cost and you’ll use it every day
– Internet security suite/anti-virus: a smart choice is to use Bitdefender
– Backups: any reputable cloud provider, such as Google Drive, Dropbox or OneDrive
– A VPN: NordVPN, Surfshark or Proton VPN
Final Thoughts
Cybersecurity doesn’t have to be complicated if you’re not a large organisation. You can make a few simple changes and sleep well at night knowing everything is taken care of: changing passwords often, 2FA, DMARC, backups, updates, and being aware of ongoing threats.
Want a cybersecurity checkup? We can review your current setup, online presence, and see how well protected your business is. Reach out on our contact page.
